A global buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in shade\_or\_tint\_name\_after\_declare\_color at genpstricks.c:1135  
Please run following command to reproduce it,

ASAN LOG

Invalid color number \-1674115757 at line 37, using default color.
An open polygon at line 38 \- close it.
\=================================================================
\==22079\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c5a81c at pc 0x00000080aeb5 bp 0x7ffd1029a770 sp 0x7ffd1029a768
READ of size 4 at 0x000000c5a81c thread T0
    #0 0x80aeb4 in shade\_or\_tint\_name\_after\_declare\_color /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1135:41
    #1 0x80aeb4 in format\_options /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1859
    #2 0x7fa81d in genpstrx\_line /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2270:7
    #3 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #4 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #5 0x7ff8beecdb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #6 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c5a81c is located 4 bytes to the left of global variable 'color\_table' defined in 'genpstricks.c:986:3' (0xc5a820) of size 34816
0x000000c5a81c is located 44 bytes to the right of global variable 'dev\_pstricks' defined in 'genpstricks.c:2851:15' (0xc5a7a0) of size 80
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:1135:41 in shade\_or\_tint\_name\_after\_declare\_color
Shadow bytes around the buggy address:
  0x0000801834b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801834e0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000801834f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 f9 f9
\=>0x000080183500: f9 f9 f9\[f9\]00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080183550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==22079\==ABORTING

fig2dev Version 3.2.7b

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21683: Xfig / Tickets / #77 global-buffer-overflow in shade_or_tint_name_after_declare_color at genpstricks.c:1135

A global buffer overflow in the put_font in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in put\_font at genpict2e.c:2229  
Please run following command to reproduce it,

ASAN LOG

\==36598\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c4f858 at pc 0x0000007614d0 bp 0x7fff29528440 sp 0x7fff29528438
READ of size 8 at 0x000000c4f858 thread T0
    #0 0x7614cf in put\_font /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2229:7
    #1 0x7614cf in genpict2e\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2278
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fb82753eb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c4f858 is located 8 bytes to the left of global variable 'texfonts' defined in 'genpict2e.c:54:14' (0xc4f860) of size 48
0x000000c4f858 is located 52 bytes to the right of global variable 'default\_color' defined in 'genpict2e.c:119:12' (0xc4f820) of size 4
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2229:7 in put\_font
Shadow bytes around the buggy address:
  0x000080181eb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080181ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181ef0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
\=>0x000080181f00: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x000080181f10: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080181f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080181f30: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080181f40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080181f50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==36598\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21684: Xfig / Tickets / #75 global-buffer-overflow in put_font at genpict2e.c:2229

A global buffer overflow in the genmp_writefontmacro_latex component in genmp.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into mp format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in genmp\_writefontmacro\_latex at genmp.c:1274  
Please run following command to reproduce it,

Here's log

\==17197\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x000000c7ffd8 at pc 0x00000070bc35 bp 0x7ffcf7797cd0 sp 0x7ffcf7797cc8
READ of size 8 at 0x000000c7ffd8 thread T0
    #0 0x70bc34 in genmp\_writefontmacro\_latex /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1274:3
    #1 0x70bc34 in genmp\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1074
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fab84f5db96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x000000c7ffd8 is located 8 bytes to the left of global variable 'texfontfamily' defined in 'texfonts.c:27:13' (0xc7ffe0) of size 48
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genmp.c:1274:3 in genmp\_writefontmacro\_latex
Shadow bytes around the buggy address:
  0x000080187fa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080187fe0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
\=>0x000080187ff0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x000080188000: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
  0x000080188010: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x000080188020: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080188030: 00 04 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080188040: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==17197\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21678: Xfig / Tickets / #71 global-buffer-overflow in genmp_writefontmacro_latex at genmp.c:1274

A stack-based buffer overflow in the put_arrow() component in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in put\_arrow at genpict2e.c:1191  
Please run following command to reproduce it,

ASAN LOG

\==39178\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fffc3316ec8 at pc 0x00000077150d bp 0x7fffc3316e70 sp 0x7fffc3316e68
READ of size 4 at 0x7fffc3316ec8 thread T0
    #0 0x77150c in put\_arrow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1191:39
    #1 0x767f69 in genpict2e\_arc /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:2575:6
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7f8b1eb44b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

Address 0x7fffc3316ec8 is located in stack of thread T0 at offset 72 in frame
    #0 0x76d4cf in put\_arrow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1152

  This frame has 9 object(s):
    \[32, 36) 'sx' (line 1153)
    \[48, 52) 'sy' (line 1153)
    \[64, 68) 'lx' (line 1153) <== Memory access at offset 72 overflows this variable
    \[80, 480) 'points' (line 1154) <== Memory access at offset 72 underflows this variable
    \[544, 944) 'fillpoints' (line 1154)
    \[1008, 1408) 'clippts' (line 1154)
    \[1472, 1476) 'npoints' (line 1155)
    \[1488, 1492) 'nfillpoints' (line 1155)
    \[1504, 1508) 'nclippts' (line 1155)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genpict2e.c:1191:39 in put\_arrow
Shadow bytes around the buggy address:
  0x10007865ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ad90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ada0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10007865add0: f1 f1 f1 f1 04 f2 04 f2 04\[f2\]00 00 00 00 00 00
  0x10007865ade0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865adf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x10007865ae10: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007865ae20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==39178\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21680: Xfig / Tickets / #74 stack-buffer-overflow in put_arrow at genpict2e.c:1191

A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in set\_color at genge.c:437  
Please run following command to reproduce it,

ASAN LOG

Cannot locate user color 41, using default color at line 10.
\=================================================================
\==1767\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x0000009b325c at pc 0x00000069b1f8 bp 0x7fffe0afa7a0 sp 0x7fffe0afa798
READ of size 4 at 0x0000009b325c thread T0
    #0 0x69b1f7 in set\_color /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:437:23
    #1 0x69b1f7 in genge\_arc /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:345
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7f219e288b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x0000009b325c is located 4 bytes to the left of global variable 'GE\_COLORS' defined in 'genge.c:55:12' (0x9b3260) of size 128
0x0000009b325c is located 53 bytes to the right of global variable '<string literal>' defined in 'genge.c:437:14' (0x9b3220) of size 7
  '<string literal>' is ascii string 'c%02d '
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:437:23 in set\_color
Shadow bytes around the buggy address:
  0x00008012e5f0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008012e600: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x00008012e610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x00008012e620: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 06 f9 f9
  0x00008012e630: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 03 f9 f9
\=>0x00008012e640: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x00008012e650: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00008012e660: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e670: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e680: 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x00008012e690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==1767\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21681: Xfig / Tickets / #73 global-buffer-overflow in set_color at genge.c:437

A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a global-buffer-overflow in set\_fill at genge.c:446  
Please run following command to reproduce it,

ASAN LOG

Invalid color number \-16 at line 33, using default color.
\=================================================================
\==3081\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x0000009b325c at pc 0x0000006953f0 bp 0x7ffd7c3cad60 sp 0x7ffd7c3cad58
READ of size 4 at 0x0000009b325c thread T0
    #0 0x6953ef in set\_fill /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:446:27
    #1 0x6953ef in genge\_line /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:143
    #2 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #3 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #4 0x7fbb4e7bcb96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #5 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

0x0000009b325c is located 4 bytes to the left of global variable 'GE\_COLORS' defined in 'genge.c:55:12' (0x9b3260) of size 128
0x0000009b325c is located 53 bytes to the right of global variable '<string literal>' defined in 'genge.c:437:14' (0x9b3220) of size 7
  '<string literal>' is ascii string 'c%02d '
SUMMARY: AddressSanitizer: global\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genge.c:446:27 in set\_fill
Shadow bytes around the buggy address:
  0x00008012e5f0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 f9 f9
  0x00008012e600: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x00008012e610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x00008012e620: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 06 f9 f9
  0x00008012e630: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 03 f9 f9
\=>0x00008012e640: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9\[f9\]00 00 00 00
  0x00008012e650: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00008012e660: 07 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e670: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008012e680: 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x00008012e690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==3081\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21682: Xfig / Tickets / #72 global-buffer-overflow in set_fill at genge.c:446

A stack-based buffer overflow in the genpstrx_text() component in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in genpstrx\_text at genpstricks.c:2732  
Please run following command to reproduce it,

ASAN LOG

\==48149\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fffcd1c7b00 at pc 0x00000044823a bp 0x7fffcd1b7880 sp 0x7fffcd1b7030
WRITE of size 35 at 0x7fffcd1c7b00 thread T0
    #0 0x448239 in vsprintf (/home/tmp/fig2dev+0x448239)
    #1 0x448566 in \_\_interceptor\_sprintf (/home/tmp/fig2dev+0x448566)
    #2 0x81943b in genpstrx\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2732:5
    #3 0x54b8bb in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1003:6
    #4 0x54b8bb in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:480
    #5 0x7fb45a113b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #6 0x41b3a9 in \_start (/home/tmp/fig2dev+0x41b3a9)

Address 0x7fffcd1c7b00 is located in stack of thread T0 at offset 65856 in frame
    #0 0x817a5f in genpstrx\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genpstricks.c:2714

  This frame has 2 object(s):
    \[32, 65568) 'formatted\_text' (line 2716)
    \[65824, 65856) 'angle' (line 2717) <== Memory access at offset 65856 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow (/home/tmp/fig2dev+0x448239) in vsprintf
Shadow bytes around the buggy address:
  0x100079a30f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100079a30f40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x100079a30f50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
\=>0x100079a30f60:\[f3\]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f70: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 f3 f3
  0x100079a30f80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100079a30fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==48149\==ABORTING

fig2dev Version 3.2.7b

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21676: Xfig / Tickets / #76 stack-buffer-overflow in genpstrx_text at genpstricks.c:2732

A stack-based buffer overflow in the genptk_text component in genptk.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ptk format.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-28

Private: No

Hi,  
I found a stack-buffer-overflow in genptk\_text at genptk.c:618

fig2dev Version 3.2.7b  
commit 93795dd396730c80e63767dede7777f4cb7dc383

Please run following command to reproduce it,

ASAN LOG

\==45827\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7fff76457e80 at pc 0x000000841291 bp 0x7fff76457650 sp 0x7fff76457648
WRITE of size 1 at 0x7fff76457e80 thread T0
    #0 0x841290 in genptk\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:618:13
    #1 0x54ba7b in gendev\_objects /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:1012:6
    #2 0x54ba7b in main /home/tmp/mcj\-fig2dev/fig2dev/fig2dev.c:489
    #3 0x7f8360406b96 in \_\_libc\_start\_main /build/glibc\-OTsEL5/glibc\-2.27/csu/../csu/libc\-start.c:310
    #4 0x41b429 in \_start (/home/tmp/fig2dev+0x41b429)

Address 0x7fff76457e80 is located in stack of thread T0 at offset 2080 in frame
    #0 0x83e5ef in genptk\_text /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:520

  This frame has 1 object(s):
    \[32, 2080) 'stfp' (line 521) <== Memory access at offset 2080 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/tmp/mcj\-fig2dev/fig2dev/dev/genptk.c:618:13 in genptk\_text
Shadow bytes around the buggy address:
  0x10006ec82f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x10006ec82fd0:\[f3\]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x10006ec82fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec82ff0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
  0x10006ec83000: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10006ec83010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ec83020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==45827\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2020-21675: Xfig / Tickets / #78 stack-buffer-overflow in genptk_text at genptk.c:618

An update for edk2 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-38575: edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2021-08-10

Updated:

2021-08-10

**RHSA-2021:3066 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: edk2 security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for edk2 is now available for Red Hat Enterprise Linux 8.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.  

Security Fix(es):  

*   edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe (BZ#1956284)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 8 x86\_64
*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.6 x86\_64
*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4 x86\_64
*   Red Hat Enterprise Linux Server - AUS 8.6 x86\_64
*   Red Hat Enterprise Linux Server - AUS 8.4 x86\_64
*   Red Hat Enterprise Linux Server - TUS 8.6 x86\_64
*   Red Hat Enterprise Linux Server - TUS 8.4 x86\_64
*   Red Hat Enterprise Linux for ARM 64 8 aarch64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
*   Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.6 x86\_64
*   Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.4 x86\_64

**Fixes**

*   BZ - 1956284 - edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe

**Red Hat Enterprise Linux for x86\_64 8**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.6**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 8.4**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux Server - AUS 8.6**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux Server - AUS 8.4**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux Server - TUS 8.6**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux Server - TUS 8.4**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux for ARM 64 8**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

aarch64

edk2-aarch64-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 87840deb6eb77acd588947b2b2cbc965e86134e74dc8d71ed5231129f4606786

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

aarch64

edk2-aarch64-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 87840deb6eb77acd588947b2b2cbc965e86134e74dc8d71ed5231129f4606786

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

aarch64

edk2-aarch64-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 87840deb6eb77acd588947b2b2cbc965e86134e74dc8d71ed5231129f4606786

**Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.6**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

**Red Hat Enterprise Linux Server for x86\_64 - Update Services for SAP Solutions 8.4**

SRPM

edk2-20200602gitca407c7246bf-4.el8\_4.2.src.rpm

SHA-256: db01b6fac3c6e598946112fc8adbec95413e12e63b57e9f34d884094b66e2895

x86\_64

edk2-ovmf-20200602gitca407c7246bf-4.el8\_4.2.noarch.rpm

SHA-256: 9c39c16fb5208fa307d0bf7297ae5ac951ea7beb33182654b0deb9dcbb1a01fc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2021:3066: Red Hat Security Advisory: edk2 security update

The DEF CON 27 badge allows remote attackers to exploit a buffer overflow by sending an oversized packet via the NFMI (Near Field Magnetic Induction) protocol.

Tag

#buffer_overflow